Pierluigi Paganini November 02, 2022

Four malicious Android apps uploaded by the same developer to Google Play totaled at least one million downloads.

Malwarebytes researchers discovered four malicious apps uploaded by the same developer (Mobile apps Group) to the official Google Play. The apps are infected with the Android/Trojan.HiddenAds.BTGTHB malware, the apps totaled at least one million downloads.

Below is the list of the apps:

• Bluetooth App Sender (com.bluetooth.share.app). 50,000+ downloads
• Bluetooth Auto Connect (com.bluetooth.autoconnect.anybtdevices). 1,000,000+ downloads
• Driver: Bluetooth, Wi-Fi, USB (com.driver.finder.bluetooth.wifi.usb). 10,000+ downloads
• Mobile transfer: smart switch (com.mobile.faster.transfer.smart.switch). 1,000+ downloads

The researchers pointed out that older versions of the same apps have been detected in the past as different variants of Android/Trojan.HiddenAds. 

The apps were used as part of an adware campaign redirecting victims to websites under the control of the attackers. Some of the sites employed in the campaign host phishing pages.

“After the initial delay, the malicious app opens phishing sites in Chrome. The content of the phishing sites varies—some are harmless sites used simply to produce pay-per-click, and others are more dangerous phishing sites that attempt to trick unsuspecting users.  For example, one site includes adult content that leads to phishing pages that tell the user they’ve been infected, or need to perform an update.” reads the post published by Malwarebytes. “The Chrome tabs are opened in the background even while the mobile device is locked.  When the user unlocks their device, Chrome opens with the latest site.”  

Some websites were also designed to prompt users to install cleaner apps on their mobile devices and deliver additional malicious payloads.

In order to avoid detection, the malicious apps wait for some days before opening a phishing site in the Chrome browser, and then launch more tabs every two hours.

“It’s unclear if that means to wait an additional two hours after the first ad delay, or display another ad two hours after the first ad.” continues the report. “Regardless, it is another example of using delays to obfuscate detection.  These type of log entries are recorded every fifteen minutes, constantly setting new time released ads.”

Malwarebytes researchers believe the apps are part of a malware operation called HiddenAds, which dates back at least since June 2019.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Android apps)

[adrotate banner=”5″]

[adrotate banner=”13″]